Why You Must Build Cybersecurity Into Your Applications

One of the largest changes underway in the way we create software is that cybersecurity is no longer an afterthought, but instead is being built into every application. The challenge many companies face is how to keep up and make sure the software they create is just as safe as the products they buy. That’s what we will cover today.

In a series of recent articles, I’ve been analyzing how companies can best allocate their security portfolio dollars. Just as with an investment portfolio, I’ve argued that you want to make sure you’re getting a return on your investment and that you’re spreading your investments out, so you’re not overexposed in anyone area.

In a series on how companies can create the right security portfolio for their needs, I’ve put forward a five-step approach: 1) Determine Needs, 2) Allocate Spending According to Risk, 3) Design Your Portfolio, 4) Choose the Right Products, and 5) Rebalance as Needed. Those five steps need to address the five core tenets of cybersecurity as identified by the National Institute for Standards and Technology (NIST) framework, which are identification, prevention, detection, response, and recovery. However, how companies allocate their investments in each of these buckets can and should be customized to their individual assets and operations.

To understand the security products on the market that can help companies address these complicated issues, I’ve interviewed numerous experts from leading security solutions companies. For this piece, I spoke with Jeff Williams, the co-founder and CTO of Contrast Security to get a sense of where his company’s products fall into the larger security portfolio. Now that all companies are software companies, Contrast addresses a critical space: ensuring that the software companies develop is secure.

Because Contrast does both vulnerability detection and attack blocking, it achieves prevention, detection, and response. Contrast is a bit like a vaccine for your applications. It works throughout the software lifecycle, during development, testing, and operation, allowing companies to protect their applications from within because the product is embedded within the applications themselves. As Williams told me, this approach emerged from the dilemma companies face when they try to protect their software.

Jeff Williams co-founder and CTO of Contrast SecuritySRK Headshot Day

A terrible choice: Innovation or security

“Companies face a terrible choice: either they turn their business into software and they accept the fact that they’re going to have rampant vulnerabilities and breaches or they let their competition win the innovation race. And everyone chooses software,” said Williams. “But as a result, we’re going to have 111 billion new lines of code in 2017. And the problem is that these legacy tools, dynamic analysis tools, static analysis tools and web application firewalls, were invented in the early 2000s. They’re absolutely incapable of scaling to the level of modern software.” This requires an approach that uses automation.

Every business that has been around for more than five years will have legacy software integration challenges, which requires developing new code. Companies are constantly integrating new software platforms with older systems and a cybersecurity platform has to be able to protect all of these assets.

Instrumentation is key to visibility

To solve this problem, Contrast’s leaders looked at how other industries try to achieve safety and security in complex systems, like nuclear power plants or airplanes. The idea they came away with was that instrumentation is the key to gaining visibility from inside the system.

“Contrast instruments applications with a variety of capabilities for security analysis as well as attack detection and prevention,” Williams said. “What we say is that it turns applications into self-protecting software. And Contrast is easy to install.”

That’s where the analogy to a vaccine comes in: Contrast is placed within an application – whether that application is in the cloud, in a container or on premises – and then helps that software to continuously assess its own health to see if it has any vulnerabilities and protect against attacks. This is very different than traditional security scanning protection as it operates much more quickly, and can analyze hundreds of applications simultaneously, rather than one at a time.

As I’ve written throughout this series, visibility is a vital factor in cybersecurity. I’ve looked at other products (like Splunk, Tenable, and Gigamon) that offer visibility, all of which have the goal of allowing companies to make more informed decisions about where their defenses are the weakest and how well their security products are performing. Just as with using big data to guide customer outreach, this type of analytic insight allows businesses to make better decisions.

Identify vulnerabilities during development and attacks in production

Like many of the other products I’ve examined, Contrast takes a behavioral rules-based approach. But Contrast uses their platform to both identify vulnerabilities during development and to identify attacks during production.

“We observe the application run, we watch the behaviors of the actual application and then we map them against a set of behaviors that we either want to allow or disallow,” Williams said. When something violates one of those established rules, Contrast posts an alert and blocks the attack. One important thing to keep in mind, he noted, is that even today, most attacks exploit known vulnerabilities. “All of the major breaches, that you read about in the news, have been via known attack vectors.” Therefore, training software to detect them can go a long way in establishing solid prevention.

This plays into the idea of addressing the low-hanging fruit with security first. I’ve heard this from others I’ve talked to about cybersecurity – that so many of the most effective practices companies can employ are straightforward. Many vulnerabilities are not new or innovative, and yet companies still do not do enough to ward against them. Further, for many organizations, while they know that security should be integral to software development from the outset, it's hard to do so in practice and at scale given pressures toward constant innovation.

Ideally, according to Williams, Contrast should be implemented from the day a piece of software is deployed so that it can begin to detect vulnerabilities right away. “Contrast isn’t magic – the reason that we can do that is because we have a huge information advantage,” Williams said. “Because we’re inside the running application, we have access to information that other tools simply can’t access. Things like backend connections and libraries and frameworks, configuration, runtime data flow, all of this. Looking at the application through all these different lenses allows us to see a broader range of vulnerabilities and do it much more quickly and accurately than other tools. These capabilities are essential for any organization moving to agile/DevOps methodologies.”

Contrast automates processes that have mainly been done manually in the past. “Doing this prevention manually is great, but it takes forever,” Williams said. He added that there’s no way a typical organization can have enough experts on hand to truly tackle the full range of threats manually. Therefore, automation is not only necessary, but essential.

Where does this type of visibility fit into your larger portfolio?

Williams pointed out a key point that I’ve made as well: for companies today, they need 50 to 60 products to really ensure they have their full security portfolio covered. There is no one product to rule them all that ensures that everything from identification to recovery is perfectly done. Williams sees Contrast as a way to consolidate the application security space, but still as part of a larger cybersecurity solution that involves many tools. This is one of the crucial impacts of greater visibility: you gain the understanding of what's working and what’s not. Contrast is therefore designed to alleviate the need for so many products by automating application vulnerability detection and attack protection while providing a level of transparency not previous available.

“In terms of your overall portfolio spend, the idea is to allocate a smaller amount of money through automation instead of having to use an expensive team of people and spend more money to find issues,” said Williams. “And even then, you wouldn’t know if your applications were secure. Contrast gives you a far more accurate idea of the threats you actually face because it scales to your entire application portfolio, runs in parallel, and provides accurate visibility continuously.”

Whether with Contrast, or another product, striving towards achieving the highest level of transparency you can with regards to your cybersecurity is vital to quality prevention and detection. Implementing such visibility must be a priority in your cybersecurity portfolio spend.

My mission: Find technology for Early Adopters. Follow me: on Twitter @danwoodsearly on LinkedIn @ www.linkedin.com/in/danwoodsearly/ on myBlog @ https://earlyadopter.com. I am a CTO, writer, and consultant. For tech vendors, I help explain their technology. For users, I hel...